Friday, September 17, 2010

Strong Cryptography? Really?

Working with a client about a year ago, they were trying to implement strong cryptography.

After multiple failed iterations, I explained that the cryptography had to be strong, meaning they had to use a robust encryption algorithm and an encryption of sufficient length that it could not be feasibly broken through brute force attacks.

The client's response: "We use a 14 character passphrase. Isn't that good enough?"

* facepalm *

Thursday, September 16, 2010

Passwords will stop them ...

Me: "Mr. Client, you have no firewall at this Internet connection point. You really need to deploy one."
Client: "Why?"
Me: "Because you currently have no protection from hackers. Anyone on the Internet can get direct access to your system."
Client: "That's why we have passwords. They have to login first, and if they don't have a password, they can't get in."

* facepalm *

We make *blahblah*...

Me: "Mr CIO, our network is wide open, my five year old could hack it"
Him: "Oh, so what. All the important stuff is on our miniframe"
Me: "...and that's impenetrable?"
Him: "Yep, NO ONE has ever hacked our type of miniframe"
Me: --walk away, come back 10 minutes later and hand Mr. CIO his password and the root password for the system.
Him: "Oh... well we just make *blahblahblah*. No one would ever hack us"


A D-?? really??

"Ms. Customer, what is your goal with this PCI-DSS gap analysis?"
"We want to pass the audit with a D-"


Bolt on?

"Mr. Customer, to characterize your security as "bolt-on" would be disingenuous. I would rather say that you took security, poured it into a paint bucket and then proceeded to drizzle it over your product in the manner of a Jackson Pollock piece"

That should fix a thing or two

Okay, in theory you can post comments now... If you'd like to be a contributor, send me an email address so I can set you up...


Wednesday, September 15, 2010

Introduction to SecFacePalm

So you figure you will go forth and make the world a better place. Going to fix all the problems in security. It's just soooo obvious that any idiot will understand it once you explain it to the in terms they can understand...

BWAAAAAaAAAAaAa ha ha ha ha ha !!!!! (in a voice like Bender from Futurama)

This is a place to share your favorite Stupid user tricks, MBA quotes, and developer in denial babble.

Anonymous or attributed, I don't care, just bring us your security facepalm moments...

Let the laughter begin...